SLIDE 1
DDoS A&acks are a Serious Threat
2
Inferring BGP Blackholing in the Internet Vasileios Giotsas, - - PowerPoint PPT Presentation
Inferring BGP Blackholing in the Internet Vasileios Giotsas, - - PowerPoint PPT Presentation
Inferring BGP Blackholing in the Internet Vasileios Giotsas, Georgios Smaragdakis, Christoph Dietzel, Philipp Richter, Anja Feldmann, and Arthur Berger TU Berlin CAIDA MIT DE-CIX Akamai DDoS A&acks are a Serious Threat 2 AS1
SLIDE 2
SLIDE 3
AS4
Server AS3 AS1 172.18.192.1 AS2
3
SLIDE 4
Networks under A&ack
AS4
AQack Target Server AS3 AS1 172.18.192.1 AS2
4
SLIDE 5
Blackholing
AS4
AQack Target Server AS3 AS1 172.18.192.1 AS2
5
SLIDE 6
BGP Blackholing
AS4
AQack Target Server AS3 AS1 172.18.192.1 AS2
6
BGP
SLIDE 7
BGP Blackholing
AS4
AQack Target Server AS3 AS1 172.18.192.1 AS2
7
SLIDE 8
Agenda
- BGP Blackholing in Detail
- Inference Methodology for BGP Blackholing
- Trends in BGP Blackholing AcEvity
- Visibility of BGP Blackholing
- BGP Blackholing Network Efficacy
- Profile of BGP Blackholing Adopters
8
SLIDE 9
Agenda
- BGP Blackholing in Detail
- Inference Methodology for BGP Blackholing
- Trends in BGP Blackholing AcEvity
- Visibility of BGP Blackholing
- BGP Blackholing Network Efficacy
- Profile of BGP Blackholing Adopters
9
SLIDE 10
BGP Blackholing in the Internet
AS4
AQack Target Server AS3 AS1 172.18.192.1 AS2
10
SLIDE 11
BGP Blackholing in the Internet
AS4
AQack Target Server AS3 AS1 172.18.192.1 AS2
172.18.192.1/32 Community = AS3:666
RFC1997, RFC5635, RFC7999
11
172.18.192.1/32 Blackholed Prefix
AS3:666 Blackholing Community
SLIDE 12
BGP Blackholing in the Internet
AS4
AQack Target Server AS3 AS1 172.18.192.1 AS2
12
RFC1997, RFC5635, RFC7999
SLIDE 13
BGP Blackholing in the Internet
AS4
AQack Target Server AS3 AS1 172.18.192.1 AS2
172.18.192.1/32 Community = AS3:666
13
RFC1997, RFC5635, RFC7999
SLIDE 14
BGP Blackholing in the Internet
AS4
AQack Target Server AS3 AS1 172.18.192.1 AS2
14
RFC1997, RFC5635, RFC7999
SLIDE 15
AS2
Terminology
AS4
AQack Target Server AS3 AS1 172.18.192.1
172.18.192.1/32 Community = AS3:666
AS3 Blackholing Provider AS4 Blackholing User
15
SLIDE 16
Route Server
BGP Blackholing in an IXP
172.18.192.1 IXP member AS1 member AS2 member AS3 member AS4
16
AQack Target Server
SLIDE 17
Route Server
BGP Blackholing in an IXP
172.18.192.1
172.18.192.1/32 Community = IXP:666
IXP member AS1 member AS2 member AS3 member AS4
17
AQack Target Server
SLIDE 18
Route Server
member AS1
BGP Blackholing in an IXP
172.18.192.1
172.18.192.1/32 Next hop: 80.81.192.66 (blackhole) Community = IXP:666
IXP member AS2 member AS3 member AS4
18
AQack Target Server
SLIDE 19
Route Server
member AS1
BGP Blackholing in an IXP
172.18.192.1 IXP member AS2 member AS3 member AS4
19
AQack Target Server
SLIDE 20
AQack Target Server
Route Server
member AS1
BGP Blackholing in an IXP
172.18.192.1 IXP member AS2 member AS3 member AS4 IXP Blackholing Provider
20
AS4 Blackholing User
SLIDE 21
Agenda
- BGP Blackholing in Detail
- Inference Methodology for BGP Blackholing
- Trends in BGP Blackholing AcEvity
- Visibility of BGP Blackholing
- BGP Blackholing Network Efficacy
- Profile of BGP Blackholing Adopters
21
SLIDE 22
BGP Blackhole Community DicEonary
- BGP CommuniEes are
standardized
- We mine Internet Registries, NOC webpages etc. for keywords like
“blackhole”, “null route” using Natural Language Processing Level3 DE-CIX
22
SLIDE 23
AS2
Methodology
AS4
AQack Target Server AS3 AS1 172.18.192.1
172.18.192.1/32 AS3 AS1 Community = AS3:666
BGP Collector
23
SLIDE 24
AS2
Methodology
AS4
AQack Target Server AS3 AS1 172.18.192.1 BGP Collector
Starts at t0: A|172.18.192.1/32| provider:AS3|user:AS4|communiaes
24
SLIDE 25
AS2
Methodology
AS4
AQack Target Server AS3 AS1 172.18.192.1 BGP Collector
172.18.192.1/32 Starts at t0: A|172.18.192.1/32| provider:AS3|user:AS4|communiaes Ends at t1: W|172.18.192.1/32
25
SLIDE 26
AS2
Methodology
AS4
AQack Target Server AS3 AS1 172.18.192.1 BGP Collector
Starts at t0: A|172.18.192.1/32| provider:AS3|user:AS4|communiaes Ends at t1: W|172.18.192.1/32
26
SLIDE 27
AS2
Methodology
AS4
AQack Target Server AS3 AS3 AS1 172.18.192.1 BGP Collector
Starts at t0: A|172.18.192.1/32| provider:AS3| user:AS4|communiaes Ends at t1: W|172.18.192.1/32
t3: A|151.18.192.1/32|provider: AS13|user: AS9|communiaes t4: W|151.18.192.1/32 t7: A|125.20.191.1/32|provider: AS30| user: AS11|communiaes t8: W|125.20.191.1/32
27
SLIDE 28
Agenda
- BGP Blackholing in Detail
- Inference Methodology for BGP Blackholing
- Trends in BGP Blackholing Acavity
- Visibility of BGP Blackholing
- BGP Blackholing Network Efficacy
- Profile of BGP Blackholing Adopters
28
SLIDE 29
BGP Datasets
29
Source #IP peers #AS peers RIPE 425 313 Route Views 269 197 PCH 8,897 1,721 CDN 3,349 1,282 Total 12,940 2,798
CDN and PCH infer 3x more blackholed prefixes than RIPE and Route Views
SLIDE 30
The Rise of BGP Blackholing
2.5x
30
SLIDE 31
The Rise of BGP Blackholing
4x
31
SLIDE 32
The Rise of BGP Blackholing
6x
32
SLIDE 33
The Rise of BGP Blackholing
Mirai
33
SLIDE 34
Agenda
- BGP Blackholing in Detail
- Inference Methodology for BGP Blackholing
- Trends in BGP Blackholing AcEvity
- Visibility of BGP Blackholing
- BGP Blackholing Network Efficacy
- Profile of BGP Blackholing Adopters
34
SLIDE 35
BGP Blackholing Inference StaEsEcs
35
SLIDE 36
BGP Blackholing PropagaEon
AS4
AQack Target Server AS3 AS1 172.18.192.1
172.18.192.1/32 Community = AS3:666
AS120 AS130 AS140 BGP Collector BGP Collector
172.18.192.1/32 Community = AS3:666
36
SLIDE 37
BGP Blackholing Inference StaEsEcs
37
Due to Blackholing Propagaaon
SLIDE 38
BGP Blackhole Bundling
AS4
AQack Target Server AS3 AS1 172.18.192.1
172.18.192.1/32 Community = AS3:666, AS20:666, AS30:99, AS40:66
AS20 AS30 BGP Collector AS40
38
SLIDE 39
BGP Blackholing Inference StaEsEcs
39
Due to Blackholing Bundling
SLIDE 40
Agenda
- BGP Blackholing in Detail
- Inference Methodology for BGP Blackholing
- Trends in BGP Blackholing AcEvity
- Visibility of BGP Blackholing
- BGP Blackholing Network Efficacy
- Profile of BGP Blackholing Adopters
40
SLIDE 41
BGP Blackholing Efficacy: AcEve Measurements
AS4
AQack Target Server AS3 AS1 172.18.192.1
41
SLIDE 42
BGP Blackholing Efficacy: AcEve Measurements
AS4
AQack Target Server AS3 AS1 172.18.192.1
42
SLIDE 43
BGP Blackholing Efficacy: AcEve Measurements
AS4
AQack Target Server AS3 AS1 172.18.192.1
43
SLIDE 44
BGP Blackholing Efficacy: AcEve Measurements
Reducaon by 5 IP hops (on average)
44
SLIDE 45
BGP Blackholing Efficacy: AcEve Measurements
Reducaon by 3 AS hops (on average)
45
SLIDE 46
Agenda
- BGP Blackholing in Detail
- Inference Methodology for BGP Blackholing
- Trends in BGP Blackholing AcEvity
- Visibility of BGP Blackholing
- BGP Blackholing Network Efficacy
- Profile of BGP Blackholing Adopters
46
SLIDE 47
Popularity of Blackholing Providers
47
SLIDE 48
Popularity of Blackholing Providers
48
SLIDE 49
Popularity of Blackholing Users
49
SLIDE 50
Popularity of Blackholing Users
50
43% of bh prefixes belong to content providers/hosters
SLIDE 51
Profile of Blackholed Prefixes
- Open ports in hosts in 60% of the blackholed prefixes
- In many cases default hosEng so`ware configuraEons
- Serve ephemeral or low-ranked domains
50% 40% 30% 20% 10%
51
SLIDE 52
BGP Blackholing DuraEon
52
SLIDE 53
Conclusion
- The first Internet-wide study on the AdopEon and
State of BGP Blackholing
- Methodology to infer Blackholing acEvity from BGP
data
- BGP Blackholing on the rise in all three metrics
(Providers, Users, Prefixes)
- BGP Blackholing is EffecEve in dropping traffic early
- Profile of Blackholed adopters and Insights on Usage
53
SLIDE 54
Thank you!
54